stake.link

Summary

The distributeRewards function in SDLPoolCCIPControllerPrimary attempts to distribute rewards across secondary chains. However, it might suffers from a critical issue of creating two arrays, tokens and distributionAmounts, with mismatched lengths. The subsequent call to the _distributeRewards function using these arrays can lead to runtime errors and unexpected behavior.

Vulnerability Details & POC

1. The tokens array is created with a length of 5 items.

2. The whitelistedChains array, representing the total whitelisted chains, is configured with a length of 4.

3. The distributionAmounts array is initialized with a length of numDestinations (whitelisted chains length), which is 4.

4. Inside the loop, distributionAmounts is populated with new uint256[](tokens.length), resulting in a distributionAmounts array with a length of 4.

5. When calling _distributeRewards in the final loop, the arrays passed to the function have mismatched lengths:

6. The _distributeRewards function, in its loops, uses if (_rewardTokenAmounts[i] != 0) checks. Since _rewardTokens has a length of 5, and _rewardTokenAmounts is only 4, this can lead to out-of-bounds array access, resulting in runtime errors.

Impact

This mismatch in array lengths can cause unexpected behavior, runtime errors, and potential failure of the distribution logic. It may compromise the integrity of the reward distribution mechanism across secondary chains.

Tools Used

Manual review

Recommendations

To address this issue, it is crucial to ensure that the lengths of _rewardTokens and _rewardTokenAmounts are always the same when calling the _distributeRewards function. This can be achieved by performing proper validation or ensuring that arrays are constructed with matching lengths.